Google blocks Android spyware family Lipizzan

Google’s Android Security and Threat Analysis teams have joined discovered a new spyware family that distributed through various channels including Play store. Called Lipizzan, the software has been detected in 20 apps that are touted to be a part of fewer than 100 devices.

Unlike some of the previously emerged spyware solutions, Lipizzan is a multi-stage spyware that can be used to monitor and exfiltrate email, text messages, location, voice calls and media. It is typically available as an innocuous-sounding app such as a “Backup” or “Cleaner” app. Once installed, the spyware downloads and loads a second “license verification” stage that validate some abort criteria on the hardware.

“If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a command and control server,” the team, comprises of Android Security’s Megan Ruthven and Threat Analysis Group’s Ken Bodzak and Neel Mehta, writes in a blog post.

Affected regular tasks and widely popular apps

The second stage of Lipizzan is capable of performing and exfiltrating results of tasks such as call recording, VoIP, voice recording, location monitoring, screenshot capturing and taking photos. Additionally, it is capable of helping attackers retrieve data from apps like Gmail, Hangouts, KakaoTalk, LinkedIn, Messenger, Skype, Snapchat, Viber and WhatsApp among others.

Google researchers found the presence of Lipizzan while investing about Chrysaor — a recently emerged spyware that was believed to be written by NSO Group. Once spotted clearly, Google Play Protect service released a notification on all affected devices and removed the apps with Lipizzan from the online store.

Moreover, Google has enhanced Play Protect’s capabilities to continuously detect and block targeted spyware on Android platform. Developers need to use only official resources for building their apps to ensure a secured and safe experience.